voxpupuli / puppet-augeasproviders_sysctl Goto Github PK

Augeas-based sysctl type and provider for Puppet

License: Apache License 2.0

Shell 2.32% Ruby 97.68%

augeas augeasproviders puppet-module sysctl configuration configuration-management configuration-files puppet-resources hacktoberfest archlinux-puppet-module

puppet-augeasproviders_sysctl's Introduction

sysctl: type/provider for sysctl for Puppet

This module provides a new type/provider for Puppet to read and modify sysctl config files using the Augeas configuration library.

The advantage of using Augeas over the default Puppet parsedfile implementations is that Augeas will go to great lengths to preserve file formatting and comments, while also failing safely when needed.

This provider will hide all of the Augeas commands etc., you don't need to know anything about Augeas to make use of it.

Requirements

Ensure both Augeas and ruby-augeas 0.3.0+ bindings are installed and working as normal.

See Puppet/Augeas pre-requisites.

Documentation and examples

Type documentation can be generated with puppet doc -r type or viewed on the Puppet Forge page.

manage simple entry

sysctl { "net.ipv4.ip_forward":
  ensure => present,
  value  => "1",
}

manage entry with comment

sysctl { "net.ipv4.ip_forward":
  ensure  => present,
  value   => "1",
  comment => "test",
}

delete entry

sysctl { "kernel.sysrq":
  ensure => absent,
}

remove comment from entry

sysctl { "kernel.sysrq":
  ensure  => present,
  comment => "",
}

manage entry in another sysctl.conf location

sysctl { "net.ipv4.ip_forward":
  ensure => present,
  value  => "1",
  target => "/etc/sysctl.d/forwarding.conf",
}

do not update value with the `sysctl` command

sysctl { "net.ipv4.ip_forward":
  ensure => present,
  value  => "1",
  apply  => false,
}

only update the value with the `sysctl` command, do not persist to disk

sysctl { "net.ipv4.ip_forward":
  ensure  => present,
  value   => "1",
  persist => false,
}

ignore the application of a yet to be activated sysctl value

sysctl { "net.ipv6.conf.all.autoconf":
  ensure => present,
  value  => "1",
  silent => true
}

Issues

Please file any issues or suggestions on GitHub.

Transfer Notice

This plugin was originally authored by hercules-team. The maintainer preferred that Puppet Community take ownership of the module for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of hercules-team.

Previously: https://github.com/hercules-team/augeasproviders_sysctl

puppet-augeasproviders_sysctl's People

Contributors

Stargazers

Watchers

puppet-augeasproviders_sysctl's Issues

kernel.printk is not a valid sysctl key

Hello,
I am having an issue with augeasproviders_sysctl.
It can't set the kernel.printk key in sysctl with the error:

Sysctl[kernel.printk]: Could not evaluate: Error: `kernel.printk` is not a valid sysctl key

Puppet is 6.17.0
Proof that kernel.printk is in sysctl:

#sysctl -a|grep printk
kernel.printk = 3       4       1       7
kernel.printk_delay = 0
kernel.printk_devkmsg = on
kernel.printk_ratelimit = 5
kernel.printk_ratelimit_burst = 10
kernel.tracepoint_printk = 0

Please let me know what info can I supply to get this fixed.
S

The sysctl type should have a :silent option

In some cases (NFS in particular), the sysctl value is not present until after kernel modules have been loaded by the service starting.

In this case, the user should have the option to tell the sysctl provider to not worry about the value if it fails to apply.

My suggestion is the following:

Change def live_value to the following (untested):

def live_value
  if resource[:silent] == :true
    debug('augeasproviders_sysctl not setting live value on user request')
    return resource[:value]
  else
    return self.class.sysctl_get(resource[:name])
  end
end

Verifying hex or integer sysctl values causes augeas error

Setting a hex value within sysctl works fine:

profile::base::sysctl::rules:
  'kernel.shmmax':
    ensure: present
    value: '0xffffffffffffffff'
    target: '/etc/sysctl.d/90_rules.conf'
    comment: 'Increase defaults for IPC'

But on second run, error show up:

Notice: Sysctl[kernel.shmmax]/value changed live value from '18446744073709551615' to '0xffffffffffffffff'
Error: Sysctl[kernel.shmmax]: Could not evaluate: Failed to save Augeas tree to file. See debug log for details.

Running in debug mode shows the following:

Debug: Executing: '/sbin/sysctl -w kernel.shmmax=0xffffffffffffffff'
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.d/90_rules.conf/error/path = /files/etc/sysctl.d/90_rules.conf/files/etc/sysctl.d/90_rules.conf/kernel.shmmax[1]
/augeas/files/etc/sysctl.d/90_rules.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:35.14.-40:
/augeas/files/etc/sysctl.d/90_rules.conf/error/message = None of the alternatives in the union match

Similar error shows up when reading integer 0 values:

Debug: Executing: '/sbin/sysctl -n net.ipv4.ip_forward'

Running command on command line returns Integer number 0
But sysctl type/provider reads value as empty string.

Missing param force / replace

moved from former sysctl module (not supported any more) to augeasproviders_sysctl.
existing target files in /etc/sysctl.d cannot be overwritten:
Failed to save Augeas tree to file.
Dependency Sysctl[] has failures.

Type "file" has force / replace params these I am missing here.
May be there is a simple other solution?

Thanks in advance

Anton

Dead link in README

The Link towards the Puppet Augeas Prerequisite Guide in the README is dead. Maybe we should find a replacement (if possible).

'net.ipv4.conf.default.rp_filter' not a valid key

Hi,

On RHEL v6.9 with a puppet-agent v5.5.1, I get the following error:
Sysctl[net.ipv4.conf.default.rp_filter]: Could not evaluate: Error: 'net.ipv4.conf.default.rp_filter' is not a valid sysctl key

While if I run a sysctl -p, I don't get error for this specific entry:

# sysctl -p
...
net.ipv4.conf.default.rp_filter = 1
....
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key

Do you have any idea?

Regards

"Error: Could not find a suitable provider for sysctl" when using Alpine Linux

I am receiving this error when I run my puppet module on my Alpine system and I don't know what to make of it. I have read online I would need to install ruby-augeas using gem but I still receive errors. Is Alpine supported using augeas sysctl module? Thanks.

New to Puppet so what am I missing

Hi Team
Sorry, I am new to Puppet, but I have installed the sysctl module to manage the /etc/sysctl.conf file but I see no "default" structure for the manifest and init.pp?
Also when I go into Puppet Enterprise I cannot bring up the class to add parameters?
Am I missing something?
Many thanks
Ben

Error: `net.inet.ip.forwarding` is not a valid sysctl key on FreeBSD 11.x -- patch included

Hello team,

While using augeasproviders_sysctl for a FreeBSD 11.1 amd64 node with zleslie/bsd module, I came across this issue:

Error: /Stage[main]/Bsd::Network/Sysctl[net.inet.ip.forwarding]: Could not evaluate: Error: net.inet.ip.forwarding is not a valid sysctl key
Error: /Stage[main]/Bsd::Network/Sysctl[net.inet6.ip6.forwarding]: Could not evaluate: Error: net.inet6.ip6.forwarding is not a valid sysctl key

This is caused by the fact that the FreeBSD sysctl delimiter is a colon (':') and not an equal sign ('=') as specified in augeasproviders_sysctl/lib/puppet/provider/sysctl/augeas.rb on line 82.

As a quick workaround and possible patch, I've done the following:

if Facter.value(:kernel) == 'FreeBSD'
value = line.split(':')
else
value = line.split('=')
end

My puppetserver is at version 5.3.1-1.el7.noarch runnig on a CentOS Linux release 7.4.1708 (Core).

Please let me know if there's a better way to fix this issue.

discrepancy between title and name

This code doesn't work

sysctl { "4 - Refresh Route config":
  name    => 'net.ipv4.route.flush',
  value   => 1,
  persist => false,
}

"and throws the error: Could not evaluate: net.ipv4.route.flush is not a valid sysctl key"

This code works:

sysctl { "'net.ipv4.route.flush",
  value   => 1,
  persist => false,
}

The reason might stem from net.ipv4.route.flush not showing up in sysctl --all (self.instances)

I realize this is a very special case, that might be better served with an exec, especially since we want a refresh-only here! But i'm submitting it non-the-less as someone might stumble of a similar issue.

Is 2.1.0 Ready to be Published?

@github/hercules-team are you OK with tagging a 2.1.0?

Before this, nil values would cause errors

see voxpupuli/puppet-augeasproviders#125

Release 2.6.2 missing on Forge

I see commits to CHANGELOG.md and metadata.json for 2.6.2 but I don't see a tag or a release to forge. Wasn't sure if maybe a release step got missed or something or if the process is on-going?

some values set okay when puppet agent run from node, but not when run from puppet master

Puppet Enterprise 2019.8.4/OS RHEL 7 (on both puppet master and node)
I use the hercules-team augeasproviders_sysctl to set several sysctl values. Some work fine no matter how the puppet agent is run, and some only work when the puppet agent is run from the command line on the node.

Example: Debug file from puppet run using "puppet agent -t" from command line on node:
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv6.conf.all.accept_source_route'
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.ip_forward'
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.send_redirects'
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.send_redirects'
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.accept_redirects'
2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.accept_redirects'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.icmp_echo_ignore_broadcasts'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.accept_source_route'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.rp_filter'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.rp_filter'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.accept_source_route'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n kernel.randomize_va_space'
2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -a'
2021-08-18 14:43:12,debug,Prefetching augeas resources for sysctl

Debug log when run on same node but initiating from Puppet Master with Run Puppet:
2021-08-18 14:33:39,debug,"Resource is being skipped, unscheduling all events"
2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv6.conf.all.accept_source_route is not a valid sysctl key
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.ip_forward'
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.send_redirects'
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.send_redirects'
2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.conf.all.accept_redirects is not a valid sysctl key
2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.conf.default.accept_redirects is not a valid sysctl key
2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.icmp_echo_ignore_broadcasts is not a valid sysctl key
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.accept_source_route'
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.rp_filter'
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.rp_filter'
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.accept_source_route'
2021-08-18 14:33:39,err,Could not evaluate: Error: kernel.randomize_va_space is not a valid sysctl key
2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -a'

Checks on keys on node with sysctl -a and sysctl -n yields following results or similar for all keys listed as "invalid"
#sysctl -a 2>/dev/null | grep kernel.randomize_va_space
kernel.randomize_va_space = 2

/usr/sbin/sysctl -n kernel.randomize_va_space

sysctl -a 2>/dev/null | grep net.ipv4.icmp_echo_ignore_broadcasts

net.ipv4.icmp_echo_ignore_broadcasts = 1

/usr/sbin/sysctl -n net.ipv4.icmp_echo_ignore_broadcasts

Running puppet agent from Puppet Master on node results in manifest failure for sysctl values every time, but execution of puppet by puppet agent on the node get fail, fail, success, fail, fail, success...pattern.

My class definition:

class profile::baseline::sysctl (
String $kernel_randomize_va_space = '2',
String $net_ipv4_conf_all_accept_source_route = '0',
String $net_ipv4_conf_all_rp_filter = '1',
String $net_ipv4_conf_default_rp_filter = '1',
String $net_ipv4_conf_default_accept_source_route = '0',
String $net_ipv4_icmp_echo_ignore_broadcasts = '1',
String $net_ipv4_conf_default_accept_redirects = '0',
String $net_ipv4_conf_all_accept_redirects = '0',
String $net_ipv4_conf_default_send_redirects = '0',
String $net_ipv4_conf_all_send_redirects = '0',
String $net_ipv4_ip_forward = '0',
String $net_ipv6_conf_all_accept_source_route = '0',
) {
#kernel.randomize_va_space = 2
sysctl { 'kernel.randomize_va_space':
ensure => present,
value => $kernel_randomize_va_space,
}

#net.ipv4.conf.all.accept_source_route = 0
sysctl { 'net.ipv4.conf.all.accept_source_route':
ensure => present,
value => $net_ipv4_conf_all_accept_source_route,
}

#net.ipv4.conf.all.rp_filter = 1
sysctl { 'net.ipv4.conf.all.rp_filter':
ensure => present,
value => $net_ipv4_conf_all_rp_filter,
}

#net.ipv4.conf.default.rp_filter = 1
sysctl { 'net.ipv4.conf.default.rp_filter':
ensure => present,
value => $net_ipv4_conf_default_rp_filter,
}

#net.ipv4.conf.default.accept_source_route = 0
sysctl { 'net.ipv4.conf.default.accept_source_route':
ensure => present,
value => $net_ipv4_conf_default_accept_source_route,
}

#net.ipv4.icmp_echo_ignore_broadcasts = 1
sysctl { 'net.ipv4.icmp_echo_ignore_broadcasts':
ensure => present,
value => $net_ipv4_icmp_echo_ignore_broadcasts,
}

#net.ipv4.conf.default.accept_redirects = 0
sysctl { 'net.ipv4.conf.default.accept_redirects':
ensure => present,
value => $net_ipv4_conf_default_accept_redirects,
}

#net.ipv4.conf.all.accept_redirects = 0
sysctl { 'net.ipv4.conf.all.accept_redirects':
ensure => present,
value => $net_ipv4_conf_all_accept_redirects,
}

#net.ipv4.conf.default.send_redirects = 0
sysctl { 'net.ipv4.conf.default.send_redirects':
ensure => present,
value => $net_ipv4_conf_default_send_redirects,
}

#net.ipv4.conf.all.send_redirects = 0
sysctl { 'net.ipv4.conf.all.send_redirects':
ensure => present,
value => $net_ipv4_conf_all_send_redirects,
}

#net.ipv4.ip_forward = 0
sysctl { 'net.ipv4.ip_forward':
ensure => present,
value => $net_ipv4_ip_forward,
}

#net.ipv6.conf.all.accept_source_route = 0
sysctl { 'net.ipv6.conf.all.accept_source_route':
ensure => present,
value => $net_ipv6_conf_all_accept_source_route,
}
}

Module not working for me

Hello,

I am using this module inside other class like below, but when I am running the puppet command on the remote machine, it's not getting executed at all.

class majorupgrade::redis ( ) {
some code....

class add_sysctl_setting {

sysctl { 'kernel.dmesg_restrict':
ensure => present,
value => '1',
target => "/etc/sysctl.conf",
}
}
}

Master Host : AWS
Remote host : Centos 7

Module installed :

[root@staging]# puppet module list
/etc/puppetlabs/code/environments/production/modules
├── herculesteam-augeasproviders_core (v2.1.4)
├── herculesteam-augeasproviders_sysctl (v2.2.0)
├── perficient-puppet (v0.1.0)
└── puppetlabs-stdlib (v4.5.1)

but currently, i am deploying changes for staging instance of the remote machine and I copy pasted modules directories from production path to staging path

[root@prftpuppet modules]# ls -tlr
drwxrwxr-x+ 8 PDEPLOY PDEPLOY 4096 Jan 29 08:18 perficient
drwxrwxr-x+ 6 PDEPLOY PDEPLOY 4096 Jan 29 08:18 stdlib
drwxr-xr-x+ 5 PDEPLOY PDEPLOY 4096 Feb 8 23:30 augeasproviders_sysctl

[root@prftpuppet modules]# pwd
/etc/puppetlabs/code/environments/staging/modules

Can you please suggest why this module is not working for me? and where i have to make changes in puppet to make it work.

Thanks and Regards

FreeBSD: Large sysctl -a output takes >1h to process

Suggestion: On FreeBSD, rather than 'sysctl -a', use 'sysctl -a -W' to list only writable sysctls. This excludes statistical and other informational sysctls which on a 12.2-system easily adds up to several megabytes (hundred-and-something thousand lines) of, for our intents and purposes, garbage.

Since this won't work for all platforms, I'm not going to propose a patch that simply adds '-W' to the sysctl() call in the code, although this does work for me.

Misleading message when live value and persisted values differ

On a machine that is in this state:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 0

Trying to set the value of net.ipv4.ip_forward to 0 would produce the following message:

Sysctl[net.ipv4.ip_forward]/value: current_value '0', should be '0' (noop) (corrective)

This message appears to be a noop, but it would actually change the live value.

value does not work; must use val

When working with 2.0.2 release, receive error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: no parameter named 'value'

Example code:

sysctl { 'vm.swappiness':
  ensure => 'present',
  value   => '10',
}

sysctl provider fails if multiple instances of value are declared in sysctl.conf

see voxpupuli/puppet-augeasproviders#123

Persisting a sysctl that does not exist yet

Hi! 👋 I want to persist a sysctl that does not exist on the running system.
This is because I want it to be enabled on next reboot before a kernel upgrade, so it gets enabled at boot before a subsequent Puppet run.

This would be something that, reading the docs, I thought would be doable using:

sysctl { "non_existing_sysctl":
  ensure  => present,
  value   => "1",
  apply   => false,
  persist => true,
}

However, if the sysctl does not exist, it currently fails (as it checks for its presence from the list obtained by sysctl -a), and if the :silent=>true parameter is set, it just adds the comment, not the actual value.

Would this be a behavior that would make sense adding to the module?. I see there is some support implemented for non-existent sysctls already for absent but not for present.

Dependency with herculesteam-augeasproviders_core v3.0.0

Hi,

The last version of augeasproviders_sysctl does not accept augeasproviders_core version 3.0.0

puppet module --modulepath=/tmp/q/ install herculesteam-augeasproviders_sysctl
/tmp/q
└─┬ herculesteam-augeasproviders_sysctl (v2.6.0)
  └─┬ herculesteam-augeasproviders_core (v2.7.0)
    └── puppetlabs-stdlib (v7.1.0)

But the version 2.0.0 does not have this limit.

puppet module --modulepath=/tmp/q/ install herculesteam-augeasproviders_sysctl --version=2.0.0
/tmp/q
└─┬ herculesteam-augeasproviders_sysctl (v2.0.0)
  └─┬ herculesteam-augeasproviders_core (v3.0.0)
    └── puppetlabs-stdlib (v7.1.0)

Should it be unpublished ?

Provider does not validate that the live value was successfully applied

When something fails to apply, module does not provide an error, instead keeps trying to apply the same setting on subsequent puppet agent runs.

Here is an example, setting the kernel.shmall to a value larger than is supported by the kernel:
Sysctl[kernel.shmall]/value: changed live value from '18446744073692774399' to '999999999999999999999999'

This reports success, but in checking the kernel value, it was not changed:
# sysctl -A | grep kernel.shmall kernel.shmall = 18446744073692774399

When attempting to change the setting directly, the kernel reports an error message as expected:
# sysctl -w kernel.shmall=999999999999999999999999
sysctl: setting key "kernel.shmall": Invalid argument
kernel.shmall = 999999999999999999999999
It would be helpful for the module to report an error rather than continually reporting that it changed the live value on each puppet run (becoming non-idempotent).

Query: Set sysctl values using hiera

I would like to set multiple sysctl values using hiera, I have checked augeasproviders module, but it has dependencies on multiple module and my requirement is only sysctl. Is there any best way to to set sysctl values using hiera using augeasproviders_sysctl.

The type should have the ability to only apply to the running system and bypass persisting to disk

There are a few sysctl values that require a reboot to be changed. In these cases, you can find that you've locked yourself out of your system because the value has persisted in sysctl.conf.

PR Forthcoming

Would a simple class to support declaration of resources via hiera be accepted into this mod?

Could not evaluate: undefined method `[]' for nil:NilClass

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: puppetserver-7.12.0-1.el8.noarch; puppet-agent 7.25.0-1focal
Ruby: ruby-2.7.8-139.module+el8.8.0+1320+d2449f6f.x86_64; the one that comes with puppet-agent
Distribution: rocky linux 8/ubuntu focal fossa
Module version: straight from git, up to date with master.

How to reproduce (e.g Puppet code you use)

  sysctl { 'kernel.yama.ptrace_scope':
    ensure => present,
    value  => '0',
    target => '/etc/sysctl.d/10-ptrace.conf',
    comment => 'Closes #24182',
  }

  sysctl { 'kernel.core_pattern':
    ensure => present,
    value  => 'core-%p-%E',
    target => '/etc/sysctl.d/10-core_pattern.conf',
    comment => 'Closes #28134',
  }

What are you seeing

Error: /Stage[main]/Buildhost/Sysctl[kernel.yama.ptrace_scope]: Could not evaluate: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Buildhost/Sysctl[kernel.core_pattern]: Could not evaluate: undefined method `[]' for nil:NilClass

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Error: Could not prefetch sysctl provider 'augeas': undefined method `context=' for #<Augeas:0x7f010c270830>

Hello,

we were looking to employ this Puppet custom resource type in order to manage our sysctl settings. However, on our Scientific Linux 6 (supposedly similar to RHEL 6) machines, the following error message is printed:

Could not prefetch sysctl provider 'augeas': undefined method `context=' for #Augeas:0x7f010c270830

As far as we can tell, all requirements and dependencies are met:

Puppet client and master are version 3.8.4
Augeas v1.8.1
augeasproviders_sysctl v2.2.1
augeasproviders_core v2.4.0

I could not find 'context=' in the augeas provider implementation, so I cannot tell where this error comes from. Did you by any chance encounter it in the past already?

Best regards,
Xavier.

Error: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

I get this error when I use more than one target files.
And after changing the value or the comment in the last file (/etc/sysctl.d/90-kernel.conf).

Example code:

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '20',
      comment => 'Automatic reboot 20 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

The first puppet agent run is going well. But after changing the code (value of kernel.panic changed from 20 into 30):

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

I get the messages:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30' and live value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Error: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

It works only when I also chang the order from my code ( move the changing part to the top ) into:

   sysctl { 'kernel.panic':
      ensure  => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target  => '/etc/sysctl.d/90-kernel.conf',
  }

  sysctl { 'net.ipv4.tcp_syncookies':
      ensure  => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target  => '/etc/sysctl.d/90-net.conf',
  }

Now the Puppet agent run is going well again:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Notice: Applied catalog in 9.14 seconds

Caching sysctl keys produces unexpected behaviors

My understanding is that this resource will prefetch all of the sysctl keys, store these in a cache, then use that cache to validate sysctl resources.

This causes some unexpected behaviors when loading kernel modules. In particular, I have the following Puppet code:

Class 1:

# sysctl tuning
sysctl { ... }

Class 2:

kmod::load { 'br_netfilter': }
-> sysctl { 'net.bridge.bridge-nf-call-iptables':
    ensure => present,
    value    => 1,
}

Where Class 1 is executed before Class 2.

When applied, I receive the following error:

Sysctl[net.bridge.bridge-nf-call-iptables]: Could not evaluate: Error: net.bridge.bridge-nf-call-iptables is not a valid sysctl key

If I run modprobe br_netfilter before Puppet agent applies the catalog (or rerun puppet agent -t after receiving the error), I see

Debug: Executing: '/sbin/sysctl -n net.bridge.bridge-nf-call-iptables'

suggesting the resources were applied successfully.

The net.bridge.bridge-nf-call-iptables key is loaded in with the br_netfilter kernel module. However, it appears the resource provider does not reflect this new key as the cache was populated before the loading of the kernel module.

Is it possible to manually force the cache to repopulate?

sysctl reload option

Hi,

I am starting to use this module.
Is not clear from the documentation if the sysctl rules are applied or not by default after the configuration.

Which is the behavior?
Can you please update the documentation?

HTH,
Daniele

Sysctl is re-applied everytime

With the last version 2.6.1, Puppet will apply the same sysctl settings every time it run.

The extract from debug output of the Puppet agent

Debug: Prefetching augeas resources for sysctl
Debug: Executing: '/sbin/sysctl -e net.ipv4.tcp_keepalive_time net.ipv4.tcp_keepalive_intvl net.ipv4.tcp_keepalive_probes'
Debug: Executing: '/sbin/sysctl -n net.ipv4.tcp_keepalive_time'
Debug: Executing: '/sbin/sysctl -n net.ipv4.tcp_keepalive_time'
Notice: /Stage[main]/Profiles::Tcpkeepalive/Sysctl[net.ipv4.tcp_keepalive_time]/value: changed configuration value from '' to '30'
Debug: Executing: '/sbin/sysctl -w net.ipv4.tcp_keepalive_time=30'
Debug: /Stage[main]/Profiles::Tcpkeepalive/Sysctl[net.ipv4.tcp_keepalive_time]: The container Class[Profiles::Tcpkeepalive] will propagate my refresh event
Debug: Executing: '/sbin/sysctl -n net.ipv4.tcp_keepalive_intvl'
Debug: Executing: '/sbin/sysctl -n net.ipv4.tcp_keepalive_probes'

For some reason, Puppet fails to retrieve the current value of net.ipv4.tcp_keepalive_time and re-apply it.
This does not occurs with version 2.6.0

The Puppet code

class profiles::tcpkeepalive (
  Integer $tcp_keepalive_time = 30,
  Integer $tcp_keepalive_intvl = 10,
  Integer $tcp_keepalive_probes = 6,
){
  ensure_resource(
    'sysctl', 'net.ipv4.tcp_keepalive_time', {
      ensure => present,
      value  => $tcp_keepalive_time,
      target => '/etc/sysctl.d/tcp_keeplive.conf',
    })
  ensure_resource(
    'sysctl', 'net.ipv4.tcp_keepalive_intvl', {
      ensure => present,
      value  => $tcp_keepalive_intvl,
      target => '/etc/sysctl.d/tcp_keeplive.conf',
    })
  ensure_resource(
    'sysctl', 'net.ipv4.tcp_keepalive_probes', {
      ensure => present,
      value  => $tcp_keepalive_probes,
      target => '/etc/sysctl.d/tcp_keeplive.conf',
    })
}

The technical context

# puppet --version
6.24.0
# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)

Using with Hiera

You can write in the documentation/examples how we can use this provider to describe the sysctl parameters via hiera ? Thank you.

Please allow for the use of `/` as a key separator, as described in the `sysctl` man page

In RHEL, the sysctl man page describes the use of / as a key separator instead of .:

PARAMETERS
       variable
              The  name  of  a  key to read from.  An example is kernel.ostype.  The ’/’ separator is also accepted in
              place of a ’.’.

This is required in situations where a sub-key name itself includes a ., such as network interfaces with vlans (bond0.209 for example). Specifically:

# sysctl net.ipv4.conf.bond0.209.rp_filter
error: "net.ipv4.conf.bond0.209.rp_filter" is an unknown key
# sysctl net/ipv4/conf/bond0.209/rp_filter
net.ipv4.conf.bond0/209.rp_filter = 1
# sysctl net.ipv4.conf.bond0/209.rp_filter
net.ipv4.conf.bond0/209.rp_filter = 1

As seen in the output of the second example, you can apparently also replace a . in the sub-key name with a /.

However, neither work-around works with the augeas provider, because the / apparently breaks the parsing of the key names:

# puppet apply -t --debug -e 'sysctl {"net/ipv4/conf/bond0.209/rp_filter": value=>2 }'
…
Notice: /Stage[main]/Main/Sysctl[net/ipv4/conf/bond0.209/rp_filter]/ensure: created
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/net
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:34.7-36.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match

()
 (     | { })
()
 (     | { /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ })
  with tree
    { "ipv4" }
Error: /Stage[main]/Main/Sysctl[net/ipv4/conf/bond0.209/rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
…
# puppet apply -t --debug -e 'sysctl {"net.ipv4.conf.bond0/209.rp_filter": value=>2 }'
…
Notice: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/209.rp_filter]/ensure: created
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/net.ipv4.conf.bond0
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:34.7-36.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match

()
 (     | { })
()
 (     | { /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ })
  with tree
    { "209.rp_filter" = "2" }
Error: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/209.rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

Please update the augeas lens to allow the use of this work-around.

net.ipv4.conf.br1/403.rp_filter error

[root@localhost tmp]# sysctl -a | grep "net.ipv4.conf.br1/403.rp_filter"
net.ipv4.conf.br1/403.rp_filter = 1

[root@localhost tmp]# cat /tmp/t.pp

sysctl { 'net.ipv4.conf.br1/403.rp_filter':
  ensure => present,
  value  => "2",
}


[root@localhost tmp]# /opt/puppetlabs/bin/puppet apply /tmp/t.pp
Error: Evaluation Error: Error while evaluating a Resource Statement, Unknown resource type: 'sysctl' (file: /tmp/t.pp, line: 2, column: 1) on node localhost

Error in /

sysctl { 'net.ipv4.conf.br1/403.rp_filter':
  ensure => present,
  value  => "2",
}

Performed manually OK

[root@localhost tmp]# sysctl -w net.ipv4.conf.br1/403.rp_filter=2
net.ipv4.conf.br1/403.rp_filter = 2
[root@localhost tmp]# sysctl -a | grep "net.ipv4.conf.br1/403.rp_filter"
net.ipv4.conf.br1/403.rp_filter = 2

x86_64 server with 1792 cpu cores - sysctl -a parsing takes >30min

Hi,
we have a huge x86_64 machine which has 1792 logical cpus. This means we have 122903 sysctl entries and 120853 of them are cpu related. It looks like the parsing of "sysctl -a" takes more than 30 minutes to complete.
Currently I have no idea on how to fix that, expect for tuning the parsing somehow.
I will clarify if there is any option to hide specific parameters, but so far I havn't found something.

Best
Marcel

Warning: Found multiple default providers for sysctl: augeas, parsed; using parsed

I haven't found a way to specify the provider.
In my env there are several sysctl modules

How can force the use of augeasproviders_sysctl ?

thanks

Works on OpenBSD!

Seems to work on OpenBSD, tried it on 5.7 and 5.8; /etc/sysctl.conf is updated and sysctl values are updated without the need of a reboot. I think it's safe to add OpenBSD to the compatible os list. Probably should work on FreeBSD as well but I have not tested yet.

Missing parameter purge

I mis a parameter to purge unmanaged sysctl rules.

Comments

Firstly thanks for the module.

I have a question - would it be possible to have comments spanning multiple lines or be able to add a new line at the start of the comment so that when the lines are added in /etc/sysctl.conf file they are not all crammed together and are more readable.

Example:

  sysctl { 'net.ipv4.conf.default.proxy_arp':
    ensure  => present,
    value   => '0',
    comment => 'Switch off ARP proxying'
  }

 sysctl { 'net.ipv4.tcp_max_orphans':
    ensure  => present,
    value   => '256',
    comment => 'Increase the number of remembered connection requests awaiting acknowledgement from the client'
  }
  sysctl { 'net.ipv4.tcp_max_syn_backlog':
    ensure  => present,
    value   => '4096',
    comment => 'Increase the number of remembered connection requests awaiting acknowledgement from the client'
  }

This is what it currently produces:

# net.ipv4.conf.default.proxy_arp: Switch off ARP proxying
net.ipv4.conf.default.proxy_arp = 0
# net.ipv4.tcp_max_syn_backlog: Increase the number of remembered connection requests awaiting acknowledgement from the client
net.ipv4.tcp_max_syn_backlog = 4096
# net.ipv4.tcp_max_orphans: Increase the number of remembered connection requests awaiting acknowledgement from the client
net.ipv4.tcp_max_orphans = 256

What would be nice is to be able to write the following:

  sysctl { 'net.ipv4.tcp_max_syn_backlog':
    ensure  => present,
    value   => '4096',
    comment => '\n\n Increase the number of remembered connection requests awaiting acknowledgement from the client'
  }

which produces lines in the file as shown:

# net.ipv4.conf.default.proxy_arp: Switch off ARP proxying
net.ipv4.conf.default.proxy_arp = 0

# net.ipv4.tcp_max_syn_backlog: Increase the number of remembered 
#  connection requests awaiting acknowledgement from the client
net.ipv4.tcp_max_syn_backlog = 4096

# net.ipv4.tcp_max_orphans: Increase the number of remembered 
#  connection requests awaiting acknowledgement from the client
net.ipv4.tcp_max_orphans = 256

Thanks

Joe..

Fails to edit existing value

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 8.5.0
Ruby: AIO
Distribution: CentOS Stream 9
Module version: 3.2.0

How to reproduce (e.g Puppet code you use)

I've got hiera that overrides the value of vm.dirty_background_ratio based on the size of the disk

What are you seeing

Failure to set the value

What behaviour did you expect instead

Success

Output log

Notice: /Stage[main]/Stdlib::Manage/Sysctl[vm.dirty_background_ratio]/value: changed configuration value from '13' to '10' (corrective)
Debug: Executing: '/usr/sbin/sysctl -w vm.dirty_background_ratio=10'
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.d/kernel.sched_autogroup_enabled.conf/error/path = /files/etc/sysctl.d/kernel.sched_autogroup_enabled.conf/files/etc/sysctl.d/kernel.sched_autogroup_enabled.conf/kernel.sched_autogroup_enabled[1]
/augeas/files/etc/sysctl.d/kernel.sched_autogroup_enabled.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug:45.14-.40:
/augeas/files/etc/sysctl.d/kernel.sched_autogroup_enabled.conf/error/message = None of the alternatives in the union match
/augeas/files/etc/sysctl.d/kernel.yama.ptrace_scope.conf/error/path = /files/etc/sysctl.d/kernel.yama.ptrace_scope.conf/files/etc/sysctl.d/kernel.yama.ptrace_scope.conf/kernel.yama.ptrace_scope[1]
/augeas/files/etc/sysctl.d/kernel.yama.ptrace_scope.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug:45.14-.40:
/augeas/files/etc/sysctl.d/kernel.yama.ptrace_scope.conf/error/message = None of the alternatives in the union match
/augeas/files/etc/sysctl.d/vm.dirty_background_ratio.conf/error/path = /files/etc/sysctl.d/vm.dirty_background_ratio.conf/files/etc/sysctl.d/vm.dirty_background_ratio.conf/vm.dirty_background_ratio[1]
/augeas/files/etc/sysctl.d/vm.dirty_background_ratio.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug:45.14-.40:
/augeas/files/etc/sysctl.d/vm.dirty_background_ratio.conf/error/message = None of the alternatives in the union match
Error: /Stage[main]/Stdlib::Manage/Sysctl[vm.dirty_background_ratio]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
/opt/puppetlabs/puppet/cache/lib/puppet/provider/augeasprovider/default.rb:146:in `rescue in augsave!'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/augeasprovider/default.rb:137:in `augsave!'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/augeasprovider/default.rb:748:in `augsave!'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/augeasprovider/default.rb:894:in `flush'
/opt/puppetlabs/puppet/cache/lib/puppet/provider/sysctl/augeas.rb:272:in `flush'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1038:in `flush'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:27:in `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:270:in `apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:291:in `eval_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:194:in `call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:194:in `block (2 levels) in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:511:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/benchmark.rb:311:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:510:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:194:in `block in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:124:in `traverse'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:181:in `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:241:in `block (2 levels) in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:511:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/benchmark.rb:311:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:510:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:240:in `block in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log.rb:167:in `with_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/report.rb:153:in `as_logging_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:239:in `apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:288:in `block (2 levels) in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:511:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/benchmark.rb:311:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:510:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:287:in `block in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:190:in `block in benchmark'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/benchmark.rb:311:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:189:in `benchmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:286:in `apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:504:in `run_internal'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:341:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:85:in `block (6 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:64:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:288:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:84:in `block (5 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/timeout.rb:189:in `block in timeout'
/opt/puppetlabs/puppet/lib/ruby/3.2.0/timeout.rb:196:in `timeout'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:83:in `block (4 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:23:in `lock'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:73:in `block (3 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:164:in `with_client'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:69:in `block (2 levels) in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:129:in `run_in_fork'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:68:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:174:in `controlled_run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:49:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:437:in `onetime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:394:in `block in run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:64:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:288:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:391:in `run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:423:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:697:in `exit_on_fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:423:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:145:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:79:in `execute'
/opt/puppetlabs/puppet/bin/puppet:6:in `<main>'

Any additional information you'd like to impart

If I remove the /etc/sysctl.d/kernel.sched_autogroup_enabled.conf file, it saves to disk successfully.

Don't try to set a comment, if apply and persist is false

For some hosts we're not allowed to set a value. So we thought of setting apply and persist to false.
This basically works but during each puppet run, the module tries to set a comment which fails.
I think it shouldn't try to set a comment is both "apply" and "persist" is set to false.

...
Info: Loading facts
Info: Caching catalog for xxx
Info: Applying configuration version 'yyy'
Notice: /Stage[main]/Sysctl_hardening::Settings/Sysctl[net.ipv4.tcp_timestamps]/comment: comment changed '' to 'MANAGED BY PUPPET. DO NOT EDIT!'
...

  sysctl { 'net.ipv4.tcp_timestamps':
    ensure     => present,
    value       => '0',
    apply       => false,
    persist     => false,
    comment => 'MANAGED BY PUPPET. DO NOT EDIT!',
  }

Dependency on puppet-augeasproviders_core

Hi it would be nice to fix the dependency of the module from herculesteam-augeasproviders_core to herculesteam-augeasproviders_core on puppetforge.
Thank you
S

Unable to specify duplicate sysctl value even though target is different

Hi,

I'm working on a very LARGE project that wants node defaults and application updates to those defaults. vm.swappiness is a perfect example. By default they want 60, but certain applications need 0. I was hoping to manage both conditions with different sysctl.d/NN-target.conf files, but the second instance throws a duplicate declaration error.

Any chance this behavior could be changed?

Thanks,

== k+ ==

provider supports prefetch, but puppet resource sysctl does not show any values

When using puppet resource sysctl no values are shown.
Even when specifying the sysctlk setting no values are shown:

puppet resource sysctl net.ipv4.ip_forward
sysctl { 'net.ipv4.ip_forward':
  ensure => present,
}

sysctl prefetch fails with "no implicit conversion of Array into String"

On a FreeBSD 12.2-RELEASE-p10 system, when my puppet catalog tried to apply, I get the error message:

Debug: Prefetching augeas resources for sysctl
Error: Could not prefetch sysctl provider 'augeas': no implicit conversion of Array into String
/var/puppet/lib/puppet/provider/sysctl/augeas.rb:96:in `block in instances'
/var/puppet/lib/puppet/provider/sysctl/augeas.rb:95:in `each'
/var/puppet/lib/puppet/provider/sysctl/augeas.rb:95:in `each_slice'
/var/puppet/lib/puppet/provider/sysctl/augeas.rb:95:in `instances'
/var/puppet/lib/puppet/provider/sysctl/augeas.rb:143:in `prefetch'
/usr/local/lib/ruby/site_ruby/2.7/puppet/transaction.rb:378:in `prefetch'
/usr/local/lib/ruby/site_ruby/2.7/puppet/transaction.rb:260:in `prefetch_if_necessary'
/usr/local/lib/ruby/site_ruby/2.7/puppet/transaction.rb:115:in `block in evaluate'
/usr/local/lib/ruby/site_ruby/2.7/puppet/graph/relationship_graph.rb:120:in `traverse'
/usr/local/lib/ruby/site_ruby/2.7/puppet/transaction.rb:178:in `evaluate'
/usr/local/lib/ruby/site_ruby/2.7/puppet/resource/catalog.rb:240:in `block (2 levels) in apply'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:546:in `block in thinmark'
/usr/local/lib/ruby/2.7/benchmark.rb:308:in `realtime'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:545:in `thinmark'
/usr/local/lib/ruby/site_ruby/2.7/puppet/resource/catalog.rb:239:in `block in apply'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util/log.rb:161:in `with_destination'
/usr/local/lib/ruby/site_ruby/2.7/puppet/transaction/report.rb:148:in `as_logging_destination'
/usr/local/lib/ruby/site_ruby/2.7/puppet/resource/catalog.rb:238:in `apply'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:193:in `block (2 levels) in apply_catalog'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:546:in `block in thinmark'
/usr/local/lib/ruby/2.7/benchmark.rb:308:in `realtime'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:545:in `thinmark'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:192:in `block in apply_catalog'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:233:in `block in benchmark'
/usr/local/lib/ruby/2.7/benchmark.rb:308:in `realtime'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:232:in `benchmark'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:191:in `apply_catalog'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:433:in `run_internal'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:248:in `block in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/context.rb:62:in `override'
/usr/local/lib/ruby/site_ruby/2.7/puppet.rb:314:in `override'
/usr/local/lib/ruby/site_ruby/2.7/puppet/configurer.rb:218:in `run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:60:in `block (5 levels) in run'
/usr/local/lib/ruby/2.7/timeout.rb:95:in `block in timeout'
/usr/local/lib/ruby/2.7/timeout.rb:105:in `timeout'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:59:in `block (4 levels) in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent/locker.rb:21:in `lock'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:53:in `block (3 levels) in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:136:in `with_client'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:50:in `block (2 levels) in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:101:in `run_in_fork'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:49:in `block in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application.rb:179:in `controlled_run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/agent.rb:47:in `run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application/agent.rb:433:in `onetime'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application/agent.rb:393:in `block in run_command'
/usr/local/lib/ruby/site_ruby/2.7/puppet/context.rb:62:in `override'
/usr/local/lib/ruby/site_ruby/2.7/puppet.rb:314:in `override'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application/agent.rb:389:in `run_command'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application.rb:382:in `block in run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util.rb:735:in `exit_on_fail'
/usr/local/lib/ruby/site_ruby/2.7/puppet/application.rb:382:in `run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util/command_line.rb:143:in `run'
/usr/local/lib/ruby/site_ruby/2.7/puppet/util/command_line.rb:77:in `execute'
/usr/local/bin/puppet:5:in `<main>'

Puppet Code

I do try to set a few sysctl values:

  sysctl {
    'security.bsd.see_other_uids':
      ensure => present,
      value  => '0';

    'security.bsd.see_other_gids':
      ensure => present,
      value  => '0';
  }

Versions

OS: FreeBSD 12.2-RELEASE-p10
Puppet version : 6.23.0
Module version: 2.6.1

upgrading to 2.6.1 gives "not a valid sysctl key" error on CentOS

After upgrading to 2.6.1 catalog compilation is failing.

For a class as follows:

# @summary Profile for managing common entries in /etc/sysctl.d
class profiles::sysctl::common {

  $target = '/etc/sysctl.d/01-ipv4.conf'

  sysctl { 'net.ipv4.ip_forward':
    ensure => present,
    value  => '1',
    target => $target,
  }
  sysctl { 'net.ipv4.ip_nonlocal_bind':
    ensure => present,
    value  => '1',
    target => $target,
  }
}

I'm getting the following (in debug mode - short snippet):

Debug: Prefetching augeas resources for sysctl
Debug: Facter: resolving fact with user_query: kernel
Debug: Facter: Searching fact: kernel in file: kernel.rb
Debug: Facter: Searching fact: kernel in core facts and external facts
Debug: Facter: Loading all internal facts
Debug: Facter: List of resolvable facts: [#<Facter::SearchedFact:0x0000000004812550 @name="kernel", @fact_class=Facts::Linux::Kernel, @user_query="kernel", @type=:core, @file=nil>]
Debug: Facter: Loading external facts
Debug: Facter: fact "kernel" has resolved to: Linux
Debug: Facter: resolving fact with user_query: kernel
Debug: Facter: Searching fact: kernel in file: kernel.rb
Debug: Facter: Searching fact: kernel in core facts and external facts
Debug: Facter: Loading all internal facts
Debug: Facter: List of resolvable facts: [#<Facter::SearchedFact:0x0000000006950f00 @name="kernel", @fact_class=Facts::Linux::Kernel, @user_query="kernel", @type=:core, @file=nil>]
Debug: Facter: Loading external facts
Debug: Facter: fact "kernel" has resolved to: Linux
Debug: Executing: '/sbin/sysctl -e net.ipv4.ip_forward net.ipv4.ip_nonlocal_bind'
Error: /Stage[main]/Profiles::Sysctl::Common/Sysctl[net.ipv4.ip_forward]: Could not evaluate: Error: `net.ipv4.ip_forward` is not a valid sysctl key
Error: /Stage[main]/Profiles::Sysctl::Common/Sysctl[net.ipv4.ip_nonlocal_bind]: Could not evaluate: Error: `net.ipv4.ip_nonlocal_bind` is not a valid sysctl key
Debug: Class[Profiles::Sysctl::Common]: Resource is being skipped, unscheduling all events

Output of sysctl is:

# /sbin/sysctl -e net.ipv4.ip_forward net.ipv4.ip_nonlocal_bind
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1

No issues with 2.6.0.

# puppet --version
7.10.0

# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

# uname -a
Linux REDACTED 3.10.0-1160.41.1.el7.x86_64 #1 SMP Tue Aug 31 14:52:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

voxpupuli / puppet-augeasproviders_sysctl Goto Github PK

puppet-augeasproviders_sysctl's Introduction

sysctl: type/provider for sysctl for Puppet

Requirements

Documentation and examples

manage simple entry

manage entry with comment

delete entry

remove comment from entry

manage entry in another sysctl.conf location

do not update value with the sysctl command

only update the value with the sysctl command, do not persist to disk

ignore the application of a yet to be activated sysctl value

Issues

Transfer Notice

puppet-augeasproviders_sysctl's People

Contributors

Stargazers

Watchers

Forkers

puppet-augeasproviders_sysctl's Issues

/usr/sbin/sysctl -n kernel.randomize_va_space

sysctl -a 2>/dev/null | grep net.ipv4.icmp_echo_ignore_broadcasts

/usr/sbin/sysctl -n net.ipv4.icmp_echo_ignore_broadcasts

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Puppet Code

Versions

Recommend Projects

Recommend Topics

Recommend Org

do not update value with the `sysctl` command

only update the value with the `sysctl` command, do not persist to disk